Problem with a login form and secured directory

Report · May 22, 2008

Hello;
I wrote a log in form for my application. I am locking out a directory that is in my web site root directory.

http://www.mysite.com/lockeddirectory/index.cfm

I have 2 application.cfc files, one in my root directory and one in the locked out directory. I have to use a proxyapplication.cfc to communicate between the file in the root and the locked directory. (I don't have server control)

Now the code i wrote for the log in works to a point. It does log me in, and it passes the variables to the pages I want it to. BUT when your logged into the locked directory, and you click on a link to go to one of the pages in that directory, it kicks you out and wants you to log in again. I can't figure out what I did wrong, can anyone help me out and help me tweek my code to make it work?

here is my code:

LoginCheck.cfm

<cfparam name="FORM.userLogin" type="string">
<cfparam name="FORM.userPassword" type="string">

<cfquery NAME="getUser" datasource="#APPLICATION.dataSource#">
SELECT user.id, user.Fname, user.Lname
FROM user
WHERE userName =<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.UserLogin#">
AND password =<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.UserPassword#">
</cfquery>

<cfif getUser.recordCount eq 1>
<cflock scope="Session" type="EXCLUSIVE" TIMEOUT="20">
<cfset SESSION.auth = structNew()>
<cfset SESSION.auth.isLoggedin = "yes">
<cfset SESSION.auth.id = getUser.id>
<cfset SESSION.auth.Fname = getUser.Fname>
</cflock>
<cfquery name="updateLoginInfo" datasource="#APPLICATION.dataSource#">
UPDATE user SET
lastLogin = #CreateOdbcDateTime(now())#,
hits = hits+1
WHERE ID = #val(getUser.Id)#
</cfquery>
<cflocation url="admin/index.cfm">
<cfelse>
<cflocation url="login.cfm?login=#form.UserLogin#&getUser=#getUser.recordCount#" addtoken="no">
</cfif>

Application.cfc file in locked directory:

<cfcomponent output="false" extends="ProxyApplication">
<cffunction name="OnRequestStart" output="false" returntype="void">
<cfif NOT isDefined("SESSION.auth.isLoggedIn")>
<cflocation url="../sitemanager.cfm" addtoken="no">
<cfabort>
<cfelseif isDefined("FORM.UserLogin")>
<cfinclude template="../LoginCheck.cfm">
</cfif>
</cffunction>
</cfcomponent>

I do have session management and cookies and everything turned on in the main application.cfc file. So I am confused on why this is looking to make me log back in everytime I click on a link in the protected directory.

Thank you

CFmonger

Report · May 22, 2008

try this:
change the returntype of your onRequestStart method to 'boolean' and add
<cfreturn true /> to the function.

one other thing to check: this line in your LoginCheck.cfm <cflocation
url="admin/index.cfm"> - since the page is included in your locked dir
as well, do you have a sub-dir called 'admin' in your locked dir?

does you main Application.cfc set an application name?

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Report · May 22, 2008

no the loginCheck is not in the locked directory. there are 3 pages:

sitemanager.cfm
LoginCheck.cfm

in the locked directory
Application.cfc

I am using an application.cfc in the root directory and a proxy application to extend it to the locked directory with this code:

proxyapplication.cfc
<cfcomponent extends="Application">
</cfcomponent>

application.cfc in locked directory:
<cfcomponent output="false" extends="ProxyApplication">

do I need to add more code to these 2 application files?
Will this make a difference in the suggestion you made?

I did try adding Boleen and it threw an error and said it was wrong; so this is what I tried next:

<cfcomponent output="false" extends="ProxyApplication">

<cffunction name="OnRequestStart" output="false" returntype="string">
<cfif NOT isDefined("SESSION.auth.isLoggedIn")>
<cflocation url="../sitemanager.cfm" addtoken="no">
<cfabort>
<cfelseif isDefined("FORM.UserLogin")>
<cfinclude template="../LoginCheck.cfm">
<cfreturn true>
</cfif>
</cffunction>
</cfcomponent>

and it is still trying to kick me out to sitemanager.cfm